In versions of Microsoft Exchange Server prior to Exchange Server 2007 a server could be deployed into an organization and, by default, would not require HTTPS (SSL) for any of its client-server or server-server communications.
Of course for organizations that recognized the value of securing their network communications the wise move was to install an SSL certificate for the IIS instance on the Exchange Server and use SSL for user access to services such as Outlook Web Access and ActiveSync, at least for external access if not for internal access as well.
However this was not mandatory and it certainly isn’t unusual to encounter legacy Exchange environments that allow external access over insecure HTTP connections. This lack of SSL encryption exposes end authentication credentials in clear text and risks them being compromised by attackers and used to gain access to your network.
Since the release of Exchange Server 2007 Microsoft has changed the default behaviour so that SSL was required for many services, even when they are only used internally. So a newly installed Exchange Server server that hosted the Client Access server role has SSL required by default for services such as:
- Outlook Web App (OWA)
- ActiveSync (mobile device access)
- Exchange Web Services
- Outlook Anywhere (aka RPC-over HTTPS)
Because of this “secure by default” behaviour the Exchange Server installation process generates self-signed SSL certificates to bind to IIS and use for those services.
Although this means that services such as Outlook Web App, Outlook Anywhere, and ActiveSync are secure right from the moment the Exchange server is installed, the use of self-signed SSL certificates in Exchange Server 2013 is only intended to be temporary while the administrator acquires and installs the correct SSL certificates for the server.
Exchange Server administrators should acquire and install SSL certificates on new Exchange Server deployments to replace those self-signed certificates. You can read more about this process at the following resources:
- Exchange Server 2016 SSL Certificates
- Exchange Server 2013 SSL Certificates
- Exchange Server 2010 SSL Certificates
Exchange Server Pro recommends using Digicert UC Certificates for Exchange Server.
Here are some more recent articles with tips and troubleshooting solutions for Exchange Server SSL certificate scenarios:
- Exchange Server 2016 Migration – Configuring Client Access Services
- Exchange Server 2016 Migration – Reviewing SSL Certificates
- Detecting SSL 3.0 Configuration Changes with Exchange Analyzer
- Configuring the TLS Certificate Name for Exchange Server Receive Connectors
- Exchange Best Practices: Client Access Namespaces
- Exporting and Importing Exchange Server 2016 SSL Certificates
- Exchange Server 2016 FAQ: Can I Re-Use My Existing SSL Certificate?
- Assign an SSL Certificate to Exchange Server 2016 Services
- Completing a Pending SSL Certificate Request for Exchange Server 2016
- Certificate Warnings in Outlook After Installing Exchange Server 2016